The following is from Matt Bishop.
>From bishop@nob.cs.ucdavis.edu Thu Jul 1 19:40:36 1999
Return-Path: <bishop@nob.cs.ucdavis.edu>
Received: from baton.cs.ucdavis.edu (baton.cs.ucdavis.edu [169.237.6.6])
by linus.mitre.org (8.8.7/8.8.7) with ESMTP id TAA17757
for <coley@linus.mitre.org>; Thu, 1 Jul 1999 19:40:35 -0400 (EDT)
Received: from nob.cs.ucdavis.edu (nob.cs.ucdavis.edu [169.237.6.105]) by baton.cs.ucdavis.edu (8.8.8/8.7.2 Mainx) with ESMTP id QAA15443; Thu, 1 Jul 1999 16:36:01 -0700 (PDT)
Received: from nob.cs.ucdavis.edu (localhost [127.0.0.1])
by nob.cs.ucdavis.edu (8.9.3/8.9.1) with ESMTP id QAA03090;
Thu, 1 Jul 1999 16:40:33 -0700 (PDT)
(envelope-from bishop@nob.cs.ucdavis.edu)
Message-Id: <199907012340.QAA03090@nob.cs.ucdavis.edu>
To: "Steven M. Christey" <coley@linus.mitre.org>
cc: bishop@cs.ucdavis.edu
Reply-To: Matt Bishop <bishop@cs.ucdavis.edu>
Subject: Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's
In-reply-to: Your message of Wed, 30 Jun 1999 19:45:05 -0400.
<199906302345.TAA03673@basie.mitre.org>
Date: Thu, 01 Jul 1999 16:40:32 -0700
From: Matt Bishop <bishop@nob.cs.ucdavis.edu>
Steve,
DOVES probably uses a "same attack" approach, given your terminology.
My focus is on the nature of the vulnerability: what preconditions
must exist for the vulnerability to exist (and therefore, in my lexicon,
for the attack to work). Hence my opinion that it's a "same attack"
approach.
I've been silent for a while, though, because I question whether
either an attack or a codebase approach is correct.
Let's take the example being bandied about: program version 1 has
a vulnerbility that lets you crash the computer. In version 2, that
same program, when sent the same attack, gives you supervisor privileges.
Both a crash and a supervisor privilege put the system into an
unauthorized state. They began when the system was in a vulnerable state,
and executed the same commands to reach the unauthorized state. Hence
the attacks were the same. But the state transitions are different; other-
wise, the resultant (unauthorized) states would be the same. Hence I
view this as two different vulnerabilities.
I should point out the codebase issue is also orthogonal to this.
The program may not have changed at all. But the OS, and hence the
effect of the same attack upon the same codebase, may have (has, in the
above example).
I don't know if this helps, hurts, or is completely tangential to what
you need. But please feel free to post this to the list if you think it's
useful.
Matt